[openstack-dev] [security] [api] Script injection issue

Jeremy Stanley fungi at yuggoth.org
Fri Nov 17 19:24:07 UTC 2017


On 2017-11-17 15:55:33 +0000 (+0000), Tristan Cacqueray wrote:
[...]
> We had similar issues[0][1] in the past where we already draw the line
> that it is the client responsibility to filter out API response.
> 
> Thus I agree with Jeremy, perhaps it is not ideal, but at least it
> doesn't give a false sense of security if^Wwhen the server side
> filtering let unpredicted malicious content through.
[...]

To be clear, I don't object to making whatever developers and API
SIG members feel are sane filtering choices service-side, it's just
that I think the VMT will consider those security hardening patches
and not vulnerability fixes. If Horizon or any other consuming
application fails to properly sanitize data before performing
potentially unsafe actions with it, that's a vulnerability and would
generally warrant an official security advisory.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171117/2366f4f1/attachment.sig>


More information about the OpenStack-dev mailing list